8.4 KiB
WireGuard
guide-by-example
Purpose & Overview
VPN.
When you need to connect to a machine/network over the internet, securely.
WireGuard is an opensource simple, fast and modern VPN.
Written in C, with userspace implementation written in Go.
WireGuard is included in linux kernel version 5.6 and newer.
WireGuard works at layer 3 and uses UDP protocol.
While with WireGuard there is no server-clients model, there are just peers
connecting to each other, this gudie will setup peer_A as a server listening at a port,
and clients will be connecting to it.
This setup runs directly on the host machine, not in a container.
Most of the stuff here is based on Arch wiki and
this tutorial.
This also seems rich in content.
Files and directory structure
/etc/
└── wireguard/
└── wg0.conf
Installation
on linux
Install wireguard-tools
package, or whatever is the equivalent in your distro.
The package should provide two command line utilities
wg
- utility for configuration and management of WireGuard tunnel interfaceswg-quick
- script for bringing up or down a WireGuard interface and provide some extra configuration functions
on Windows or macOS clients
Install the official application.
extra info:
Might be of interest server setup on
Windows
on Android or iOS devices
Install the official app from the stores.
Configuration on linux server
- switch to root and go in to in /etc/wireguard
su
cd /etc/wireguard
- generate a private key
wg genkey > peer_A.key
- create a public key from the private key
wg pubkey < peer_A.key > peer_A.pub
Use the generated keys in the wg0.conf, in the [Interface]
section.
wg0.conf
[Interface]
PrivateKey = AA9q7CkUG3MuKP1eyyJFGgKzACIJ1rRIkkWYAi3p3WM=
# PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
Address = 10.200.200.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE
[Peer]
# TESTER-1
# PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
AllowedIPs = 10.200.200.2/32
[Peer]
# TESTER-2
# PrivateKey = QNc0dunuRQAjuKpFmRPqvPAysqpklctcdblqrazUT0o=
PublicKey = CAt7g42pPxgU5Lcc3uyNh5BmkITJS1K6XAoFbkhN6Qk=
AllowedIPs = 10.200.200.3/32
This configuration when run creates a new wg0
network interface on the machine.
[Interface] - section defining wg0
wireguard interface
- PrivateKey - the key that was generated, identifies the server, will be used to encrypt packets
- # PublicKey - just a note, what is the public key of the private key
- Address - IP address on the created wg0 network interface,
can be whatever you want as long as it does not clash with other networks.
/24
defines the mask as255.255.255.0
- ListenPort - port on which wireguard connects to the internet, using UDP protocol
- PostUp/PostDown - section where one can define what should be done after
the interface is turned on or off.
In this case forwarding traffic across the tunnel and enabling NAT for interfaceenp0s25
which you want to replace with your own
This setup ipv4 only
[Peer] - section defining a peers that will be able to connect
- PublicKey - public key of the peer
- AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
Whenwg-quick
is run with these defined, a route is added in to the machines network stack that makes sure that if something wants IP address defined here, it is send through the wireguard tunnel and not the default gateway.
Two peers can not have the same IP.
In this case we want to define only single IP of the client as being accessible, allowed through.
ipv4 packet forwarding
Without this you will be be able to connect, but your access will be only to the wireguard host. To have access to the entire network you need to enable packet forwarding.
You can check current value cat /proc/sys/net/ipv4/ip_forward
To permanently enable it create a file
/etc/sysctl.d/99-sysctl.conf
net.ipv4.ip_forward=1
NAT forwarding on the router
Forward port 51820 to the machine running the wireguard server.
Start and enable the service
sudo systemctl enable --now wg-quick@wg0
Configuration on clients
TESTER-1.conf
[Interface]
PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
# PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
Address = 10.200.200.2/32
[Peer]
PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
AllowedIPs = 192.168.5.0/24
Endpoint = 63.123.113.495:51820
[Interface] - section defining wireguard interface
- PrivateKey - private key of the peer
- # PublicKey - just a note, what is the public key of the private key
- Address - IP address on the created wireguard network interface,
/32
defines its mask as255.255.255.255
- a single host
[Peer] - section defining a peer, in this case server peer_A
- PublicKey - public key of the server
- AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
Whenwg-quick
is run with these defined, a route is added in to the network stack that makes sure that if something wants IP address defined here, it is send through the wireguard tunnel and not the default gateway.
Two peers can not have same IP set in there.
In this client case, we want to be able to communicate with the entire local network at the end of the tunnel, so the entire range is added. - Endpoint - public IP at which to find the WireGuard server across the internet
Troubleshooting
- can connect to the server, but not the LAN machines
make sure you set your network interface in PostUp/PostDown section on the server
Extra info
sudo wg show
shows current wireguard interface status, latest handshake, and parts of the configuration.- PersistentKeepalive
Set in clients[Peer]
section to the number of seconds,PersistentKeepalive = 25
Used for specific case where clients need to communicate with other clients which are behind NAT. This setting, present in a client config which is behind NAT, sends periodic traffic to the server, ensuring that NAT table on the router/firewall wont expire for this connection.
Vanity address generation.
The generated crypto keys are used all over in configuration. Would it not be nice if at a simple glance you would immediatly know which peer they represent?
Well, what if you generate few millions of keys and pick the ones that fit some rule of having a desired string somewhere in the first letters?
https://github.com/warner/wireguard-vanity-address
-
install
rust
programming language, that comes with cargo package manager -
install wireguard-vanity-address as a non root user
cargo install wireguard-vanity-address
it will be installed in to~/.cargo/bin
-
run it with the desired string
~/.cargo/bin/wireguard-vanity-address fuck
private OLyU1XhtCXTGzO+8ifCKR8skRL5md4n25/kiERHb3Gk= public fuCK9s9wyjQ8u6eUGzthFUUP6oV9FdnNnIzDvlJboD8=
Update
During host linux packages update.
Backup and restore
Backup
Using borg that makes daily snapshot of the /etc directory which contains the config file.
restore
Replace the content of the config file with the one from the backup.